COUNTING POINTS ON ELLIPTIC CURVES OVER F q

Transcription

1 COUNTING POINTS ON ELLIPTIC CURVES OVER F q RENYI TANG Abstract. In this expository paper, we introduce elliptic curves over finite fields and the problem of counting the number of rational points on a curve. To solve this problem, we study finite fields, endomorphisms, Frobenius endomorphisms, torsion groups, and division polynomials. We prove several useful intermediate results and finally prove Hasse s theorem, which gives a bound to the number of rational points on a curve, and prove the legitimacy of Schoof s algorithm, which offers an efficient way to count this number precisely. Contents 1. Introduction 1 2. Preliminaries Properties of elliptic curves Finite fields 3 3. Endomorphisms and Frobenius Endomorphisms Separability of endomorphisms of the form rφ q + s Degree of endomorphisms of the form aα + bβ Characteristic equation of Frobenius endomorphisms Bounding #EF q ): Hasse e theorem Schoof s algorithm Division polynomials Proof and summary of Schoof s algorithm An example that applies Schoof s algorithm 18 Acknowledgment 19 References Introduction Elliptic curves play an important role in cryptography and number theory. The two common applications of the theory of elliptic curves are solving discrete logarithm problems DLP) and factorizing large integer primes, both of which have been widely used in current encryption techniques. DLP uses the fact that it is hard to reverse-engineer the element in a group whose n-th power is a another element in the group. In general, the harder a DLP is designed to solve, the more secure the encryption technique that uses it is. In order to make a DLP harder, a major step is to compute the number of points on an elliptic curve whose coordinates are in the same field. For some fields such as Q, R and C, some useful results in mathematics have been found. This paper concerns the two significant results for finite fields Date: August

2 2 RENYI TANG F q, the most commonly used fields in cryptography. First, Hasse s theorem gives a strong bound for the number of points on an elliptic curve whose coordinates are in a finite field. Second, Schoof s algorithm outlines a mathematically legitimate and by far one of the most time-efficient algorithms to count the exact number of such points. 2. Preliminaries 2.1. Properties of elliptic curves. The formal definition of elliptic curves requires some background in algebraic geometry. In order to understand the major concepts of elliptic curves in this paper, it is sufficient to define them in elementary algebra and geometry. Over R, an elliptic curve is a curve given by an equation of the form y 2 = x 3 + Ax + B, where A and B are real constants. In this case, x, y, A and B belong to R, but they can belong to any set. They will usually taken to be elements of a field K, such as Q, R, C, or a finite field F q. Definition 2.1. An elliptic curve E defined over a field K is the graph of an equation of the form y 2 = x 3 + Ax + B, where A, B are constants and A, B, x, y K. This will be referred to as the Weierstrass equation for an elliptic curve. For technical reasons, it is useful to add a point at infinity to an elliptic curve. It is easiest to regard it as a point, ), usually denoted simply by, sitting at the top of the y-axis. It will be a formal symbol satisfying certain computational rules. For example, a vertical line is said to pass. With the point at infinity, the set {x, y) y 2 = x 3 + Ax + B} { } is a group under the group law defined below. Definition 2.2 Group Law). Let P 1 = x 1, y 1 ) and P 2 = x 2, y 2 ) be elements in E with P 1, P 2. Define x 3, y 3 ) = P 3 = P 1 + P 2 as follows: 1) If x 1 x 2, then x 3 = m 2 x 1 x 2, y 3 = mx 1 x 3 ) y 1, where m = y 2 y 1 x 2 x 1. 2) If x 1 = x 2 and y 1 y 2, then P 1 + P 2 =. 3) If P 1 = P 2 and y 1 0, then x 3 = m 2 2x 1, y 3 = mx 1 x 3 ) y 1, where m = 3x2 1 + A 2y 1. 4) If P 1 = P 2 and y 1 = 0, then P 1 + P 2 =. Moreover, define P + = P for all P in E. We also require that the curve is nonsingular. Algebraically, this holds if and only if the discriminant 4A B 2 is not equal to zero. Geometrically, the group law can be interpreted as follows: 1) The line connecting two distinct points on the curve must have another intersection with the curve. The proof can be found in [2]. Suppose the line generated by P 1 and P 2 intersects with the curve at P 3. Since the curve is symmetric with respect to the x-axis, the point reflected by P 3 is also on the curve, and is defined as P 3 = P 1 + P 2.

3 COUNTING POINTS ON ELLIPTIC CURVES OVER F q 3 2) The sum of a point and its reflection point with respect to the x-axis is defined to be. 3) If P 1 and P 2 coincide and y 1 = y 2 0, then the line is defined to be the tangent line at P. P 3 is then defined in a similar way as in the first case. 4) If P 1 and P 2 coincide and y 1 = y 2 = 0, their sum is defined to be. Theorem 2.3 Group properties). The addition of points on an elliptic curve E satisfies the following properties: 1) P 1 + P 2 = P 2 + P 1 commutativity) 2) P + = P for all P E existence of identity) 3) For any P E, there exists P E with P + P =. P is denoted by P existence of inverses) 4) P 1 + P 2 ) + P 3 = P 1 + P 2 + P 3 ) for all P 1, P 2, P 3 E associativity). In other words, the points in E form an abelian group with as the identity element. Proof. All four are rather obvious except associativity. It can be verified by brute force calculation with the formulas in Definition 2.2. Another approach uses projective space, which we will not delve into in this paper. It can be found in [1] Chapter 2. For an elliptic curve E defined over K, it is useful to consider points with coordinates in some field L K. Definition 2.4. Let E be defined over K. The L-rational points of E is the set of all points in E with coordinates in a field L K and the point at infinity. EL) = {x, y) L L y 2 = x 3 + Ax + B} { }. Theorem 2.5. EL) is a subgroup of E. Proof. It is sufficient to prove that EL) is a nonempty subset of the group E and that it is closed under addition and inverse. Suppose P 1 = x 1, y 1 ) and P 2 = x 2, y 2 ) are in EL). We have P 1 + P 2 = P 3 = x 3, y 3 ) and P 1 = x 1, y 1 ). By the curve equation, y 1 ) 2 = x Ax 1 + B, which means P 1 EL). By applying the group law, x 3, y 3 ) has 3 possible choices, 1) x 3 = m 2 x 1 x 2, y 3 = mx 1 x 3 ) y 1, where m = y2 y1 x 2 x 1 if x 1 x 2 ) 2) x 3 = m 2 2x 1, y 3 = mx 1 x 3 ) y 1, where m = 3x2 1 +A 2y 1 if P 1 = P 2 and y 1 0) 3) if x 1 = y 2 and y 1 y 2, or when P 1 = P 2 and y 1 = 0). These expressions are well defined since we are working over a field L. This means x 3, y 3 L and thus x 3, y 3 ) EL) Finite fields. We will review some basic properties of finite fields and prove several useful results. Definition 2.6. A finite field F q is a field that contains a finite number of elements. Definition 2.7. The characteristic of a field is the smallest number of times one must use the field s multiplicative identity 1) in a sum to get the additive identity 0) if the sum does indeed eventually attain 0. If the sum never attains 0, the characteristic is defined to be 0.

4 4 RENYI TANG Proposition 2.8. A field with non-zero characteristic must have prime characteristic. Proof. Let n > 0 be the characteristic of K. If n is a composite number, then n = ab for some a, b 2. Since a, b < n, then a, b 0, but we have n = ab = 0, hence a contradiction because K is a field. Theorem 2.9. A finite field of order q exists if and only if q = p k, where p is a prime number and k is a positive integer. Proposition In a finite field of order p k, the characteristic of the field is p. Proposition In a finite field of order q, the polynomial X q X has all q elements of the finite field as roots. Proof. Clearly x = 0 satisfies this relation. The nonzero elements of F q form a group under multiplication. Therefore, for every x 0, its order divides q 1, hence x q 1 = x and therefore x q = x for all x F q. Notation We write a finite field with k = 1 as F p, and with k > 1 as F q or F p k. Proposition Given a finite field F q of characteristic p, x + y) p = x p + y p for any x, y in F q. Proof. We know p is a prime. Binomial expansion gives coefficients of the form ) p p! =, which can be rearranged as k k!p k)! ) p k! = pp 1)p 2)... p k + 1). k Since p is a prime, p must either divide k! or p k), but p cannot divide k! unless k = p or 0. Therefore, p p k) for all 0 < k < q. All terms in the binomial expansion are 0 except x p and y p. Remark By induction, x 1 + x x n ) p = x p 1 + xp xp n for all x i in F q with 0 < i < q. Theorem Let F q be a finite field and F q be its algebraic closure. Then F q = {α F q α q = α}. Proof. The group F q of nonzero elements of F q forms a group of order q 1. By Lagrange s theorem, α q 1 = 1 for all nonzero α F q. Therefore, α q = α for all nonzero α F q. A polynomial has multiple roots if and only if it shares a common root with its derivative. The polynomial X q d X has no multiple roots since dx Xq X) = qx q 1 1 = 1. Therefore, there are q distinct α F p such that α q = α. Since both sets in the statement of the theorem have q elements and the former is contained in the later, they are equal.

5 COUNTING POINTS ON ELLIPTIC CURVES OVER F q 5 3. Endomorphisms and Frobenius Endomorphisms Endomorphisms and Frobenius endomorphisms are important in the proof of Hasse s theorem. Definition 3.1. Let E be an elliptic curve defined over K. An endomorphism of E is a homomorphism α : EK) EK) that is given by rational functions, where K is the algebraic closure of K. In other words, αp 1 +P 2 ) = αp 1 )+αp 2 ), and there are rational functions quotients of polynomials) R 1 x, y), R 2 x, y) with coefficients in K such that αx, y) = R 1 x, y), R 2 x, y)) for all x, y) in EK). In addition, we define α ) =. We will also assume that α is nontrivial; that is, αx, y) is not always. The trivial endomorphism is denoted by 0. The rational functions may not be defined in some situations, i.e. the denominator is 0. We will deal with these situations later. The curve equation gives a relation between x and y, and so we can use it to get a more uniform form for R 1 and R 2. We can replace any even power of y with a polynomial in x and any odd power of y with a polynomial in x times y. Therefore, we may assume that Rx, y) = p 1x) + p 2 x)y p 3 x) + p 4 x)y. Then multiply both numerator and denominator by p 3 x) p 4 x)y, and we get a nice form 3.2) Rx, y) = q 1x) + q 2 x)y. q 3 x) In order to further simply it, consider the endomorphism Since α is also a homomorphism, This means that αx, y) = R 1 x, y), R 2 x, y)). αx, y) = α x, y)) = αx, y). R 1 x, y) = R 1 x, y), R 2 x, y) = R 2 x, y). By 3.2), q 2 = 0 for R 1 and q 1 = 0 for R 2. Therefore, we can assume that with r 1, r 2 being rational functions. αx, y) = r 1 x), r 2 x)y) Definition 3.3. The degree of a nontrivial endomorphism α is defined to be degα) = max{degpx)), degqx))}, where αx, y) = r 1 x), r 2 x)y) and px)/qx) = r 1 x). Definition 3.4. An endomorphism α 0 is separable if the derivative r 1x) is not identically zero.

6 6 RENYI TANG Proposition 3.5. Let αx, y) = px)/qx), ysx)/tx)) be an endomorphism of the elliptic curve E over K given by y 2 = x 3 + Ax + B, where p, q, s, t are polynomials such that p and q have no common roots and s and t have no common roots. If tx 0 ) = 0, then qx 0 ) = 0. In other words, if qx 0 ) 0, then both p/q and s/t are defined and so is αx, y). Proof. We first show that x 3 + Ax + B)sx) 2 tx) 2 = ux) qx) 3 for some polynomial ux) such that q and u have no common roots. By the group law formulas in Definition 2.2, y 2 s 2 t 2 = p3 q 3 + Ap q + B x 3 + Ax + B)sx) 2 tx) 2 = px)3 + Apx)qx) 2 + Bqx) 3 qx) 3. If p 3 + Apq 2 + Bq 3 has a common root with q 3, p must have a common root with q. This is a contradiction. Suppose tx 0 ) = 0 for x 0. Then x 0 are two roots of tx 0 ) 2. Since x 3 + Ax + B has no multiple roots by definition and s and t share no common roots, q must share at least one x 0 with t. Theorem 3.6. Let α 0 be a separable endomorphism of an elliptic curve E defined over K. Then degα) = # kerα), where kerα) is the kernel of the homomorphism α : EK) EK). If α 0 is not separable, then degα) > # kerα). Proof. Write αx, y) = r 1 x), yr 2 x)) with r 1 x) = px)/qx), as above. If α is separable, r 1 0. So p q pq is not the zero polynomial. Let S = {x K pq p q)x)qx) = 0}. Let a, b) EK) be such that 1) a 0, b 0, a, b), 2) degpx) aqx)) = max{degpx)), degqx))} = degα), 3) α / r 1 S), and 4) a, b) αek)). The reason why such a a, b) exists is as follows: 1) Since pq p q is not identically zero, S is a finite set. Hence its image under α, αs), is finite. 2) The function r 1 x) is easily seen to take on infinitely many distinct values as x runs through K. 3) Since for each x, there is a point x, y) EK), αek)) is an infinite set. We claim that there are exactly degα) points x 1, y 1 ) EK) such that αx 1, y 1 ) = a, b). For such a point x 1, y 1 ) we have px 1 ) qx 1 ) = a, y 1r 2 x 1 ) = b.

7 COUNTING POINTS ON ELLIPTIC CURVES OVER F q 7 Since a, b), qx 1 ) 0. By Proposition 3.5, r 2 x 1 ) is defined. Since b 0 and y 1 r 2 x 1 ) = b, we must have y 1 = b/r 2 x 1 ). Therefore x 1 determines y 1 in this case. So we only need to count values of x 1. By assumption 2), px) aqx) has degα), and so px) aqx) = 0 has degα) roots, counting multiplicities. However, we need to show that it does not have multiple roots because the homomorphism α acts on the group EK), whose elements are all distinct. Suppose that x 0 is a multiple root. Then Multiplying them yields px 0 ) = aqx 0 ) and p x 0 ) = aq x 0 ). apx 0 )q x 0 ) = ap x 0 )qx 0 ). Since a 0, this implies that x 0 is a root of pq p q)x), so x 0 S. Thus, a = r 1 x 0 ) r 1 S), which is contrary to assumption 3). Therefore, there are exactly degα) points x 1, y 1 ) EK) such that αx 1, y 1 ) = a, b). In addition, we know that for a homomorphism α : G G, # kerα) is equal to the size of the preimage of any element in G. Therefore, degα) = # kerα). If α is not separable, then the above proof still holds except that p aq is identically zero. This means px) aqx) = 0 always has multiple roots and therefore the kernel size is smaller than degα). Lemma 3.7. Let α 0 be an endomorphism of E defined over K. Then α : EK) EK) is surjective. Proof. Choose a random point a, b) EK). Since α ) =, we may assume that a, b). Let r 1 x) = px)/qx) be as in Theorem 3.6. If px) aqx) is not a constant polynomial, then it has a root x 0. Since p and q do not have common roots, qx 0 ) 0. Choose y 0 K to be either square root of x Ax 0 + B. By Lemma 3.21, αx 0, y 0 ) is defined and thus equals a, b ) for some b. Then we have b 2 = x 3 + Ax + B = b 2. If b = b, then αx 0, y 0 ) = a, b ) = a, b). This means we have successfully found an inverse image for a, b). If b = b, then αx 0, y 0 ) = a, b ) = a, b). So x 0, y 0 ) is an inverse image. We need to consider the case when p aq is a constant polynomial. By Theorem 3.6, the kernel of α is finite, and so only finitely many points of EK) can map to a point with a given x-coordinate. Therefore, either px) or qx) is not constant. Otherwise, there are infinitely many x that map to the same a. Thus p and q are two nonconstant polynomials. There is at most one constant a such that p aq is constant if a is another such number, then a a)q = p aq) p a q) is constant and a a)p = a p aq) ap a q) is constant, which means p is constant and thus q as well. Therefore, there are at most two points, a, b) and a, b) for some b, that are not in the range of α. Let a 1, b 1 ) be any other point. Then αp 1 ) = a 1, b 1 ) for some P 1. We can choose a 1, b 1 ) such that a 1, b 1 ) + a, b) a, ±b), so there exists P 2 with αp 2 ) = a 1, b 1 )+a, b). Then αp 2 P 1 ) = a, b), and αp 1 P 2 ) = a, b). Therefore α is surjective. Definition 3.8. Let F q be a finite field with algebraic closure F q. Let φ is called the Frobenius map of F q. φ : F q F q, x x q.

8 8 RENYI TANG Proposition 3.9. Let φ be a Frobenius map of F q. Let α F q. Then α F q φα) = α. Proof. This is a restatement of Theorem Definition Let E be defined over F q, whose algebraic closure is F q. The Frobenius endomorphism of E of degree q is In addition, we define φ q ) =. φ q : EF q ) EF q ), x, y) x q, y q ). Proposition Let E be defined over F q. Let φ q be a Frobenius endomorphism of E. Consider the points x, y) EF q ). Then 1) φ q x, y) EF q ). 2) x, y) EF q ) if and only if φ q x, y) = x, y). Proof. Raise both sides of the curve equation to the qth power, and we get y q ) 2 = x q ) 3 + Ax q ) + B. This means that x q, y q ) EF q ). By Proposition 3.9, x F q if and only if φx) = x, and similarly for y. Therefore x, y) EF q ) x, y F q φx) = x and φy) = y φ q x, y) = x, y). Lemma Let E be defined over F q. Let φ q be a Frobenius endomorphism of E. 1) φ q is an endomorphism of EF q ). 2) φ q is not separable. Proof. By its definition, φ q is given by rational functions. We only need to prove that φ q is a homomorphism. Let P 1 = x 1, y 1 ) and P 2 = x 2, y 2 ) in F q with x 1 x 2. By the group law, P 3 = P 1 + P 2 = x 3, y 3 ) with x 3 = m 2 x 1 x 2, y 3 = mx 1 x 3 ) y 1, where m = y 2 y 1 x 2 x 1. Raise everything to the qth power to obtain x q 3 = m ) 2 x q 1 xq 2, yq 3 = m x q 1 xq 3 ) yq 1, where m = yq 2 yq 1 x q 2. xq 1 This means that φ q x 3, y 3 ) = φ q x 1, y 1 ) + φ q x 2, y 2 ). The cases where x 1 = x 2 but y 1 y 2, or where P 1 = P 2 and y 1 = 0, or where one of the points is are checked similarly. One subtlety arises in the case where P 1 = P 2 and y 1 0. In this case, x 3 = m 2 2x 1, y 3 = mx 1 x 3 ) y 1, where m = 3x2 1 + A 2y 1.

9 COUNTING POINTS ON ELLIPTIC CURVES OVER F q 9 After raising them to the qth power, we obtain x q 3 = m ) 2 2x q 1, yq 3 = m x q 1 xq 3 ) yq 1, where m = 3q x q 1 )2 + A 2 q y q. 1 Since 2, 3, A F q, 2 q = 2, 3 q = 3, A q = A. Thus 2, 3, A remain the same in m and φ q x 3, y 3 ) = φ q x 1, y 1 ) + φ q x 2, y 2 ) still holds. In any case, φ q is a homomorphism. φ q is not separable because q = 0 in F q and so the derivative of x q is identically zero Separability of endomorphisms of the form rφ q + s. The Frobenius endomorphism is not separable, but the separability of rφ q + s is to be examined. We need a convenient criterion for separability. As we will see in the last theorem of this section, the endomorphism rφ q + s is separable if and only if p s, where p is the characteristic of the finite field on which the curve is defined. Here are some preliminaries. If x, y) is a variable point, differentiating y with respect to x yields 2yy = 3x 2 + A. We can also differentiate a rational function fx, y) with respect to x, d fx, y) fx, y) = + dx x fx, y) y. y Lemma Let E be the elliptic curve y 2 = x 3 + Ax + B. Fix a point u, v) on E. Write x, y) + u, v) = fx, y), gx, y)), where fx, y) and gx, y) are rational functions of x, y the coefficients depend on u, v). Then d dx Proof. The group law gives ) 2 y v fx, y) = x u x u gx, y) fx, y) =. y gx, y) = y v)3 + xy v)x u) 2 + 2uy v)x u) 2 vx u) 3 x u) 3 d dx fx, y) = 2y y v)x u) 2y v) 2 x u) 3 x u) 3. A lengthy calculation, using 2yy = 3x 2 + A, yields that x u) 3 y d fx, y) gx, y)) = dx vau + u 3 v 2 Ax x 3 + y 2 ) + y Au u 3 + v 2 + Ax + x 3 y 2 ). Since x, y) and u, v) are on E, we have v 2 = u 3 + Au + B and y 2 = x 3 + Ax + B. d Therefore, the right side of the above expression is 0. Therefore, dxfx, y) = gx,y) y. Lemma Let α 1, α 2, α 3 be nonzero endomorphisms of an elliptic curve E with α 1 + α 2 = α 3. Write α i x, y) = R αi x), ys αi x)).

10 10 RENYI TANG Suppose there are constants c α1, c α2 Then R α 1 x) S α1 x) = c α 1 such that and R α 2 x) S α2 x) = c α 2. R α 3 x) S α3 x) = c α 1 + c α2. Proof. Let x 1, y 1 ) and x 2, y 2 ) be variable points on E. Write x 3, y 3 ) = x 1, y 1 ) + x 2, y 2 ), where x 1, y 1 ) = α 1 x, y), x 2, y 2 ) = α 2 x, y). By Lemma 3.7, such α 1 and α 2 must exist. By the group law, x 3 and y 3 are rational functions of x 1, y 1, x 2, y 2, which are in turn rational functions of x, y. By Lemma 3.13, with u, v) = x 2, y 2 ), Similarly, with u, v) = x 1, y 1 ), x 3 x 1 = y 3 y 1. x 3 = y 3. x 2 y 2 By assumption, x i x = c y i α i y for i = 1, 2. By the chain rule, dx 3 dx = x 3 x 1 x 1 x + x 3 x 2 x 2 x Dividing by y 3 /y yields the result. = y 3 y 1 y 1 y c α 1 + y 3 y 2 y 2 y c α 2 = c α1 + c α2 ) y 3 y. Proposition Let E be an elliptic curve defined over a field K, and let n be a nonzero integer. Suppose that multiplication by n on E is given by nx, y) = R n x), ys n x)) for all x, y) EK), where R n and S n are rational functions. Then R nx) S n x) = n. Proof. Since R n = R n and S n = S n, we have R n/s n = R n/s n. Therefore, we only need to consider positive n. The proposition is obviously true for n = 1. If it is true for n, then Lemma 3.14 implies that it is true for n + 1, the sum of n and 1. Thus the statement is true for all n. Theorem Let E be defined over F q. Let r and s integers, not both 0. The endomorphism rφ q + s is separable if and only if p s, where p is the characteristic of F q.

11 COUNTING POINTS ON ELLIPTIC CURVES OVER F q 11 Proof. Write the multiplication by r endomorphism as Then rx, y) = R r x), ys r x)). R rφq x), ys rφq x)) = rφ q )x, y) = R q rx), y q S q r x)) = R q rx), yx 3 + Ax + B) q 1)/2 S q r x)). This means that we can apply Proposition Therefore, c rφq = R rφ q /S rφq = qr q 1 r R r/s rφq = 0. Also, by Proposition 3.15, c s = R s/s s = s. By Lemma 3.14, R rφ q+s/s rφq+s = c rφq+s = c rφq + c s = 0 + s = s. Therefore, R rφ q+s 0 if and only if p s Degree of endomorphisms of the form aα + bβ. Definition Let E be an elliptic curve over a field K. Let n be a positive integer. The torsion points of E of order n is the set E[n] = {P EK) np = }. Remark E[n] may contain points in EK). It may also be empty. Theorem Let E be an elliptic curve over a field K and let n be a positive integer. If the characteristic of K does not divide n, or is 0, then E[n] Z/nZ Z/nZ. Proof. The proof can be found in [1] Chapter 3. Remark This theorem implies that we can choose a basis {β 1, β 2 } for E[n] Z/nZ Z/nZ. This means that every element of E[n] can be expressed in the form m 1 β 1 + m 2 β 2, where m 1, m 2 are integers that are uniquely determined mod n. Let α : EK) EK) be a homomorphism not necessarily an endomorphism). Then α maps E[n] to E[n]. Therefore, there are integers a, b, c, d Z/nZ such that αβ 1 ) = aβ 1 + cβ 2, αβ 2 ) = bβ 1 + dβ 2. Thus, each homomorphism α : EK) EK) can be represented by a 2 2 matrix ) a b α M =. c d It follows that composition of homomorphisms corresponds to multiplication of the corresponding matrices. In many cases, the homomorphism α will be taken to be an endomorphism, which means a homomorphism that is given by rational functions. Lemma Let M and N be 2 2 matrices. Then detam + bn) a 2 det M b 2 det N = abdetm + N) det M det N) for all scalars a, b.

12 12 RENYI TANG Proof. Let ) w x N = y z We first show that ) N z x = y w ) a b M =. c d TraceMN ) = detm + N) det M det N. A straightforward calculation yields that both sides equal az by + dw cx. The left side of the statement becomes detam + bn) detam) detbn) = TraceaMbN) ) = abtracemn ) = abdetm + N) det M det N). Proposition Let α be an endomorphism of an elliptic curve E defined over a field K. Let n be a positive integer not divisible by the characteristic of K. Then detα M ) degα) mod n). Proof. The proof needs the construction of Weil pairings, which we will not delve into. It can be found in [1] Chapter 3. Lemma Let a, b be scalars and α, β be endomorphisms of an elliptic curve E defined over a field K. Then degaα + bβ) = a 2 degα) + b 2 degβ) + abdegα + β) degα) degβ)). Proof. By Lemma 3.21, degaα + bβ) = detaα M + bβ M ) = a 2 detα M ) + b 2 detβ M ) + abdetα M + β M ) det α M det β M ) for any matrices α M, β M. By Proposition 3.22, degaα+bβ) a 2 degα)+b 2 degβ)+abdegα+β) degα) degβ)) mod n). This is true for any positive integer n not divisible by the characteristic of K, i.e. infinitely many n. Therefore it must be an equality Characteristic equation of Frobenius endomorphisms. The following theorem is crucial in the proof of Schoof s algorithm, the last section of this paper. Theorem Let E be an elliptic curve defined over F q. Let a be q+1 #EF q ). Then φ 2 q aφ q + q = 0 as endomorphisms of E for all x, y). Moreover, for all m with gcdm, q) = 1. a Trace φ q ) m ) mod m) Proof. First, φ 2 q aφ q +q is an endomorphism. By Theorem 3.6, if an endomorphism is not 0, its kernel size is finite. If we prove that its kernel size is infinite, then it is 0. Let m 1 be an integer with gcdm, q)=1. φ q induces a matrix φ q ) m that describes the action of φ q on E[m]. Let ) s t φ q ) m =. u v

13 COUNTING POINTS ON ELLIPTIC CURVES OVER F q 13 Since φ q 1 is separable by Proposition 3.25, Theorem 3.6 and Proposition 3.22, # kerφ q 1) = degφ q 1) detφ q ) m I) = sv tu s + v) + 1 mod m). By Proposition 3.22, sv tu = detφ q ) m ) q mod m). # kerφ q 1) = q + 1 a. Therefore, Trace φ q ) m ) = s + v a mod m). By the Cayley-Hamilton theorem of linear algebra, we have φ q ) 2 m aφ q ) m + qi 0 mod m), We also know that where I is the 2 2 identity matrix. This means that the endomorphism φ 2 q aφ q +q is identically zero on E[m]. Since there are infinitely many choices for m, the kernel of φ 2 q aφ q + q is infinite, and so the endomorphism is Bounding #EF q ): Hasse e theorem. We are now ready to prove Hasse s theorem, which bounds the size of EF q ). First, we consider the endomorphism φ q 1 and prove that EF q ) and the kernel of φ p 1 have the same size. Second, we prove that φ q 1 is separable, and we find that #EF q ) is equal to degφ q 1)). Finally, we will use the fact that degrφ q s) 0 to get a non-negative discriminant that involves degφ q 1). This non-negative discriminant will bound degφ q 1). Proposition Let E be an elliptic curve defined over F q and let n 1. 1) kerφ q 1) = EF q ) 2) φ q 1 is a separable endomorphism, and #EF q ) = degφ q 1). Proof. By Lemma 3.12, x, y) EF q ) if and only if φ q x, y) = x, y). We can multiply the inverse of x, y) to both sides, and thus kerφ q 1) = EF q ). Since φ q is an endomorphism, φ q 1 is also an endomorphism. By Theorem 3.16, it is separable. Then by Theorem 3.6, Therefore #EF q ) = degφ q 1). # kerφ q 1) = degφ q 1). Theorem 3.26 Hasse e theorem). Let E be an elliptic curve defined over a finite field F q. Then #EF q ) q + 1) 2 q. Proof. Let a = q + 1) #EF q ) = q + 1) degφ q 1) by Proposition We want to show that a 2 q. Let r, s be integers with gcds, q) = 1. By Lemma 3.23, degrφ q s) = r 2 degφ q ) + s 2 deg 1) + rsdegφ q 1)) degφ q ) deg 1)). Since degφ q ) = q and deg 1) = 1, Thus Since degrφ q s) 0, degφ q 1)) degφ q ) deg 1) = degφ q 1) q 1 = a. degrφ q s) = r 2 q + s 2 rsa. r 2 q + s 2 rsa 0

14 14 RENYI TANG or equivalently, dividing by s 2, r ) 2 r q a s s) for all r, s with gcds, q) = 1. The set of rational numbers such that gcds, q) = 1 is dense in R. Therefore, qx 2 ax for all real numbers x. The discriminant a 2 4q must then be less than or equal to 0, hence a 2 q. Remark The reason we require gcds, q) = 1 is that a proposition in Weil pairings that we used is restricted to this situation. 4. Schoof s algorithm Schoof s algorithm is an efficient algorithm to compute the number of points in EF q ). By Hasse s theorem, q + 1 #EF q ) is bounded by 4 q. We can know its exact value if we know its modulo by a number greater than 4 q Division polynomials. To prove the mathematical legitimacy of Schoof s algorithm, we need to construct a sequence of complicated polynomials called division polynomials. We will only use them and some of the useful results, whose proofs can be found in [1] Chapter 3. Definition 4.1. Define the division polynomials ψ m Z[x, y, A, B] by ψ 0 = 0 ψ 1 = 1 ψ 2 = 2y ψ 3 = 3x 4 + 6Ax Bx A 2 ψ 4 = 4yx 6 + 5Ax Bx 3 5A 2 x 2 4ABx 8B 2 A 3 ). ψ 2m+1 = ψ m+2 ψ 3 m ψ m 1 ψ 3 m+1 for m 2 ψ 2m = 2y) 1 ψ m )ψ m+2 ψ 2 m 1 ψ m 2 ψ 2 m+1) for m 2. Additionally, define polynomials φ m = xψ 2 m ψ m+1 ψ m 1 ω m = 4y) 1 ψ m+2 ψ 2 m 1 ψ m 2 ψ 2 m+1). Lemma 4.2. ψ n is a polynomial in Z[x, y 2, A, B] when n is odd, and ψ n is a polynomial in 2yZ[x, y 2, A, B] when n is even. Theorem 4.3. Let P = x, y) be a point on the elliptic curve y 2 = x 3 + Ax + B over some field of characteristic not 2), and let n be a positive integer. Then φn x) np = ψnx) 2, ω ) nx, y) ψ n x, y) 3. Lemma 4.4. Let E be defined over F q and E[n] the torsion group of n. Then when n is odd, ψ n is a polynomial in x and, for x, y) EF q ), we have x, y) E[n] if and only if ψ n x) = 0.

15 COUNTING POINTS ON ELLIPTIC CURVES OVER F q Proof and summary of Schoof s algorithm. Suppose E is an elliptic curve given by y 2 = x 3 + Ax + B over F q. By Hasse s theorem, #EF q ) = q + 1 a, with a 2 q. Let S = {2, 3, 5, 7 L} be a set of primes such that l > 4 q. l S If we can determine a mod l for each prime l in S, then by the Chinese remainder theorem, we know a mod l, and therefore a is uniquely determined. Let l be a prime. We can assume that l p, where p is the characteristic of F q, since there always exists another prime that substitutes p and still makes l greater than 4 q. We want to compute a mod l). The first case is when l = 2. If x 3 + Ax + B has a root r F q, then r, 0) E[2] and r, 0) EF q ), so EF q ) has even order. Then q +1 a is even and so a is even. If x 3 + Ax + B has no roots in F q, then EF q ) has no points of order 2, and a is odd. To determine whether x 3 +Ax+B has a root in F q, we can try all elements in F q, but this is very costly. A simpler way is to use the fact that x 3 + Ax + B has a root in F q if and only if it has a common root with x q x, since x q x contains and only contains all elements of F q. The Euclidean algorithm, applied to polynomials, yields the gcd of the two polynomials. If the gcd is 1, then there is no common root and a is odd. If the gcd is not 1, then a is even. Let φ q be the Frobenius endomorphism of E, so By Theorem 3.24, Let x, y) be a point of order l, and let q l q φ q x, y) = x q, y q ). φ 2 q aφ q + q = 0. mod l), q l < l/2. Then qx, y) = q l x, y), so x q2, y q2) + q l x, y) = ax q, y q ). Since rφ q P ) = φ q rp ) for any integer r and point P, x q, y q ) is also a point of order l. Thus, the above relation determines a mod l). The idea is to compute all terms in this relation and find a value of a that makes this relation hold. Note that by Theorem 3.24, if the relation holds for one point x, y) E[l], then a mod l) is determined, and thus it holds for all x, y E[l]. Assume first that x q, y q ) ±q l x, y) for some x, y) E[l]. Then x, y ) def = x q2, y q2) + q l x, y), so a 0 mod l). In this case, the x-coordinates of x q2, y q2) and q l x, y) are distinct, so the sum of the two points is determined by the formula using the line through the two points, rather than a tangent line or a vertical line. Write jx, y) = x j, y j )

16 16 RENYI TANG for integers j. By Theorem 4.3, we may compute x j and y j by using division polynomials. Moreover, x j = r 1,j x) and y j = r 2,j x)y, as x j and y j are given by rational functions. We have ) 2 x y q2 y ql = x q2 x x q2 x. ql ql Writing ) 2 ) 2 y q2 y ql = y 2 y q2 1 r 2,ql x) 2 = x 3 + Ax + B) x 3 + Ax + B) q2 1)/2 r 2,ql x)), and noting that x ql is a function of x, we change x into a rational function of x. Now we want to find j such that x, y ) = x q j, yq j ). First, we look at the x-coordinates. We want x = x q j. As pointed out above, if this happens for one point in E[l], it happens for all points in E[l]. By Lemma 4.4, the roots of ψ l are the x-coordinates of the points in E[l]. This implies that 4.5) x x q j 0 mod ψ l). This means that the numerator of x x q j is a multiple of ψ l. We are here using the fact that the roots of ψ l are simple otherwise, we would obtain only that ψ l divides some power of x x q j ). This is proved by noting that there are l2 1 distinct points of order l, since E[l] Z/nZ Z/nZ where n = l and l p. There are l 2 1)/2 distinct x-coordinates of these points, since if P is in E[n], P is also in E[n]. All of the distinct x-coordinates are roots of ψ l, which has degree l 2 1)/2. Therefore, the roots of ψ l must be simple. Assume now that we have found j such that eq. 4.5) holds. Then x, y ) = ±x q j, yq j ) = xq j, ±yq j ). To determine the sign, we need to look at the y-coordinates. Both y /y and y q j /y can be written as functions of x. If y y q j )/y 0 mod ψ l), then a j mod l). Otherwise, a j mod l). Therefore, we have found a mod l). The last case left is where x q2, y q2 ) = ±qx, y) for all x, y) E[l]. If φ 2 qx, y) = x q2, y q2) = qx, y), then hence aφ q x, y) = φ 2 qx, y) + qx, y) = 2qx, y), a 2 qx, y) = a 2 φ 2 qx, y) = 2q) 2 x, y). Therefore, a 2 q 4q 2 mod l), so a q mod l). Thus q is a square mod l. Let w 2 q mod l). We have φ q + w)φ q w)x, y) = φ 2 q q)x, y) =

17 COUNTING POINTS ON ELLIPTIC CURVES OVER F q 17 for all x, y) E[l]. Let P be any point in E[l]. Then either φ q w)p =, so φ q P = wp, or P = φ q w)p is a finite point with φ q + w)p =. Therefore, in either case, there exists a point P E[l] with φ q P = ±wp. Suppose there exists a point P E[l] such that φ q P = wp. Then = φ 2 q aφ q + q)p = q aw + q)p, so aw 2q 2w 2 mod l). Therefore, a 2w mod l). Similarly, if there exists P such that φ q P = wp, then a 2w mod l). We can check whether we are in this case as follows. We need to know whether or not x q, y q ) = ±wx, y) = ±x w, y w ) = x w, ±y w ) for some x, y) E[l]. Therefore, we compute x q x w, which is a rational function of x. If gcdnumeratorx q x w ), ψ l ) 1, then there is some x, y) E[l] such that φ q x, y) = ±wx, y). If this happens, then use the y-coordinates to determine the sign. Why do we use the gcd rather than simply checking whether we have 0 mod ψ l? The gcd checks for the existence of one point, while looking for 0 mod ψ l ) checks if the relation holds for all points simultaneously. The problem is that we are not guaranteed that φ q P = ±wp for all P E[l]. For example, the matrix representing φ q on E[l] might not be diagonalizable. If gcdnumeratorx q x w ), ψ l ) = 1, then we cannot be in the case qx, y). So the only remaining case is x q2, y q2) = x q2, y q2) = qx, y). In this case, ap = φ 2 q + q)p = for all P E[l]. Therefore, a 0 mod l). We summarize Schoof s algorithm as follows. We start with an elliptic curve E given by y 2 = x 3 +Ax+B over F q. We want to compute #EF q ) = q+1 a. 1) Choose a set of primes S = {2, 3, 5,..., L}with p / S) such that l S l > 4 q. 2) If l = 2, we have a 0 mod 2) if and only if gcdx 3 + Ax + B, x q x) 1. 3) For each odd prime l S, do the following. a) Let q l q mod l) with q l < l/2. b) Compute the x-coordinate x of x, y ) = x q2, y q2) + q l x, y) mod ψ l ). c) For j = 1, 2,..., l 1)/2, do the following. i. Compute the x-coordinate x j of x j, y j ) = jx, y). ii. If x x q j 0 mod ψ l), go to step iii). If not, try the next value of j in step c). If all values 1 j l 1)/2 have been tried, go to step d). iii. Compute y and y j. If y y j )/y 0 mod ψ l ), then a j mod l). If not, then a j mod l). d) If all values 1 j l 1)/2 have been tried without success, let w 2 q mod l). If w does not exist, then a 0 mod l). e) If gcdnumeratorx q x w ), ψ l ) = 1, then a 0 mod l). Otherwise, compute gcdnumeratory q y w )/y), ψ l ).

18 18 RENYI TANG If this gcd is not 1, then a 2w mod l). Otherwise, a 2w mod l). 4) Use a mod l) for each l S to compute a mod l). Choose the value of a that satisfies this congruence and such that a 2 q. The number of points in EF q ) is q + 1 a An example that applies Schoof s algorithm. Example 4.6. Let E be the elliptic curve y 2 = x 3 + 2x + 1 mod 19. By Hasse s theorem, #EF 19 ) = a, where a < 2 19 < 9. In order to determine a, we ll show that Putting these together yields, a 1 mod 2), a 2 mod 3), a 3 mod 5). a 23 mod 30). Since a < 9, we must have a = 7. Start with l = 2. We compute Then we can use the result to compute x 19 x x + 14 mod x 3 + 2x + 1). gcdx 19 x, x 3 + 2x + 1) = gcdx x + 14, x 3 + 2x + 1) = 1. It follows that x 3 + 2x + 1 has no roots in F 19. Therefore, there is no 2-torsion in EF 19 ). So a 1 mod 2). For l = 3, we proceed as in Schoof s algorithm and eventually get to j = 1. We have q 2 = 361 and q 1 mod 3). By the characteristic equation, we need to check whether x 361, y 361) + x, y) = ± x 19, y 19) for x, y) E[3]. The third division polynomial is ψ 3 = 3x x x 4. We compute the x-coordinate of x 361, y 361 ) + x, y): y 361 ) 2 y x x 361 x 361 x = x x + 1) 180 ) x + 1) x x 361 x 361 x, x where we have used the relation y 2 = x 3 +2x+1. We need to reduce this mod ψ 3 ). However, gcdx 361 x, ψ 3 ) = x 8 1, so the multiplicative inverse does not exist. numerator and denominator of We could remove x 8 from the x 3 + 2x + 1) x 361, x but this is unnecessary. Instead, we realize that since x = 8 is a root of ψ 3, the point 8, 4) EF 19 ) has order 3. Therefore, so a 2 mod 3). #EF 19 ) = a 0 mod 3),

19 COUNTING POINTS ON ELLIPTIC CURVES OVER F q 19 For l = 5, we eventually arrive at j = 2 by following Schoof s algorithm. Note that 19 1 mod 5), so q l = 1 and We need to check whether 19x, y) = x, y) = x, y) for all x, y) E[5]. x 1, y 1 ) def = x 361, y 361) + x, y)? = ±2 x 19, y 19) def = ±x 2, y 2 ) for all x, y) E[5]. The fifth division polynomial is computed: ψ 5 = 5x x x 8 + 5x 7 + x 6 + 9x x 4 + 2x 3 + 5x 2 + 8x + 8. The equation for the x-coordinates yields y 361 ) 2 + y x 1 = x 361 x 361 x? 3x 38 ) = x 2y 19 2x 19 = x 2 mod ψ 5 ). When y 2 is changed to x 3 +2x+1, this reduces to a polynomial relation in x, which is then verified. Therefore, a ±2 mod 5). We look at the y-coordinate to determine the sign. y 1 is computed: y9x x x x x x 5 + 8x x 3 + 8x + 6) mod ψ 5 ). The y-coordinate of x 2, y 2 ) = 2x, y) is y13x x x x 7 + 8x 6 + 6x x x 3 + 8x + 18) mod ψ 5 ). A computation yields This means that y 1 + y 19 2 )/y 0 mod ψ 5 ). x 1, y 1 ) x 19 2, y 19 2 ) = 2x q, y q ) mod ψ 5 ). It follows that a 2 mod 5). Therefore, #EF 19 ) = 27. Acknowledgment It is my pleasure to thank my mentor, Adan Medrano Martin Del Campo, for his continuous assistance with problems I encountered in the study of elliptic curves. I would also like to thank Peter May for organizing this great REU program at the University of Chicago. References [1] Lawrence C. Washington. Elliptic Curves: Number Theory and Cryptography. Chapman & Hall/CRC, [2] Igor Tolkov. Counting points on elliptic curves: Hasse s theorem and recent developments